Solved: Protecting Windows login: "remember me" for a day

Eli3 · ‎12-27-2018

Below is an email conversation (only slightly edited for sharing publicly) that I had with Stephan from Duo earlier in the year. I am posting it here as I think it would be of interest to the Duo Community and perhaps help garner support for what I think is a missing feature in Duo.

______________________________________________

Duo is truly a very robust and configurable solution. We are current planning a pilot at our company. The one feature that is sorely missing is the existence of a “remember me” feature for Windows login. The same is true for that of RDP logins. As I wrote below, if it’s all or nothing, we have to very reluctantly elect to not at all protect Windows logins with Duo. This is highly disappointing and a glaring omission from Duo’s otherwise comprehensive protection.

I do understand that cookies can’t be saved at that stage of pre-login. [A colleague] said that he spoke to the Duo folks at the recent DattoCon convention. He said that he suggested that Duo could use the IP address to identify a computer and allow it to pass through without Duo challenges on subsequent login attempts. Although it is possible to spoof an IP address, at least give the admins the option to rely on IP addresses to facilitate the “remember me” functionality for Windows logins if they so chose. And if for some reason, this specific approach still wouldn’t work, you have a bunch of clever people over there. I suspect you could figure out a way to make it work.

Although the absence of this functionality probably will not stop us from becoming Duo customers, it has been very close to doing so. Instead of a very strong feeling that we’re comprehensively protecting our users, my feeling would be better described as mediocre. I urge you to prioritize the development of this feature. Duo and its customers – both current and potential – will all benefit.

Thanks,
Eli

Hi Eli,

First, I completely understand your concern and you are far from the only person who has them. I’ll try to technically break down all the reason we are where we are right now here so hopefully everyone has a complete understanding of how this works.

As you mentioned, remembered devices works by setting a cookie, which is not possible in the win logon process (no browser).

No way to whitelist based on IP right now.

The ultimate reason both of these things are impossible is because the winlogon tool lives in something called the Windows Secure Desktop, which by design is a type of desktop that is completely out of scope of other application access. We didn’t necessarily choose to do that, but are somewhat forced into it. As architected by Microsoft, the actual Windows login is a subtype of the Secure Desktop, and to interact with that process, Duo has to live at that same layer, because as mentioned the Secure Desktop has no access to applications that live outside of it.

It is true that even in that space, we do have visibility into the IP of the machine, but only as reported by Windows. This is a problem for a couple reasons. It is sometimes inaccurate, and NAT becomes a problem. In essence, when logging into a local machine we only see the LAN address, or when logging into a machine on the same LAN via RDP we also only see a LAN address because of NAT. We don’t support whitelisting private IPs for security reasons. For example, were I to phish your credentials and stole a company laptop (the common concern behind Duo for winlogon) and you had whitelisted a local IP in a policy, I could accidentally or deliberately bypass 2fa. I could potentially be on an open wifi network and get assigned the same private IP via DHCP (unlikely but possible), or an actual malicious actor could just put the machine on a network with a deliberately small DHCP pool.

Simply summarized, we are a bit hamstrung by Microsoft architecture and we’ve deliberately limited one feature for security.

All that said, we have a dev team solely focused on Microsoft integrations and they are constantly looking for another way to solve for this. I expect that in the future we’ll see more login tools because of webauthn and Windows Hello. This is a bit speculative on my part but I know that our internal teams are investigating these tools as a possible path to solving these issues.

Hopefully this helps makes things a little more clear, and helps ease your concerns that it’s not being addressed. Please let me know if you have any more questions.

Regards,
Stephen

Stephan, instead of crippling Duo’s protection on Windows login, it would be far better to allow the admins to make the determination whether to trust IP addresses as reported by Windows. We would rather enable such a feature, even if its benefit isn’t rock-solid, than completely leave Windows logins unprotected. (And the other extreme of requiring Duo authentication on each and every Windows login / screen unlock would be an unacceptable burden to users.)

By way of analogy, Duo clearly states that SMS authentication isn’t really trustworthy, nonetheless, your documentation says:

We view text messages as better than not having any two-factor authentication, since it still blocks attackers that can’t attack SMS technology.

Granted, the IP reported by Microsoft might be the local IP, but when the request gets sent to your web servers at Duo, you are definitely getting the public IP of the computer. So you do, in fact, have that information. I would never expect you to whitelist a private IP as you mentioned.

And regarding RDPing into a computer remotely, and it causing the same IP to show up on your servers even though the person (attacker) is remote, I agree that’s a concern, but let the client decide if we want to care about that. For example, if I know that RDP is not enabled on my users laptops, then I am fine requiring Duo when outside the corporate office, but not requiring it when inside. Leave the decision to us.

Instead of making the decision for administrators, empower them – along with a warning – to make their own security choices.

Thanks,
Eli

PatrickKnight · ‎09-23-2021

Yes! This is starting to roll out to customers starting today through the 30th.

Blog post about the feature: https://duo.com/blog/windows-logon-will-you-remember-me

Docs: Duo Authentication for Windows Logon and RDP | Duo Security

View solution in original post

AKoch1 · ‎12-31-2018

I am in total agreement with you. I am frustrated with this limitation being imposed. I have a client who will not sign on for Duo due to the fact that Windows login will prompt them every time. Let me as the administrator determine what I want to do.

jyoung1 · ‎01-04-2019

Hi Eli,
Thanks for your post. I have added your upvote to an existing feature request entitled: Windows RDP “Remembered Devices”.
This feature request is marked for “Future Consideration” but there isn’t a date associated with it currently. It would require substantial changes to Winlogon and trusted path.
Around the IP discussion that’s probably not the avenue we’d use, as IP trust is problematic and would not want to give Duo Admins a way to accidentally cause harm.
Thank you again for the feedback.
-Jeremy

Eli3 · ‎01-04-2019

Jeremy, what’s the link to that feature request?

jyoung1 · ‎01-04-2019

Eli,
No public link available. Feature Requests are in a Duo internal tool and submitted on your behalf by your account team (me). Thank you!

n19rgy · ‎07-18-2019

So I take it by this thread there is no way around users having to use mfa every time if you have the app installed for Windows Local Login? We want our users to use MFA to login on initial login everyday, however they are going to get mightily frustrated if they have to do it even when you lock the screen. A remember me for 8 hours or similar would be a great way around this issue. Love this product but it may well stop us buying it for this reason.

Eli3 · ‎07-18-2019

@jyoung, is there any update since I originally posted nearly 7 months ago?

@n19rgy, reading your post reawakens those same frustrations… Having our users authenticate every time their screens lock would spark a revolt and is most definitely not an option. We reluctantly decided to signup anyway, without protecting Windows sign-ins at all.

This is truly a black mark on Duo’s otherwise comprehensiveness.

jyoung1 · ‎07-18-2019

@Eli The latest is that this is on the roadmap for calendar year 2019, but has many TBD contingencies.
We use a technology called a credential provider on Windows that allows us to interject during authentications. Windows, not Duo, decides when a credential provider is invoked. This is why we cannot reduce the amount of times that Duo shows up. So unfortunately, it’s not a simple configuration change on our end to where we could limit the amount of MFA requests.
It’s definitely a top priority fix that is, and has been, a focus for quite some time now.

tagem · ‎10-10-2019

So its later in 2019, any chance on this feature? We want to only prompt every 2 hours or so >.<

jyoung1 · ‎10-11-2019

Our product team has shared with me that some investigation is planned on this feature in 2020, but there is no timeline on potential delivery. Please check with your customer success manager or account executive for more details.

Eli3 · ‎07-21-2020

Now that we’re way into 2020, what’s the update on this?

Eli3 · ‎10-23-2019

Does this have any impact on this topic?

henryng · ‎07-21-2020

Any update on "remember me " feature?

Amy2 · ‎07-21-2020

Hi everyone, thank you for your interest in Windows RDP Remembered Devices. There is an update, and the feature is under development. We’d love to tell you more, but of course we can’t share details or timelines in the public community. Your Customer Success Manager or Account Executive will be able to though, and I’ll note your interest in participating in a private preview when one is available.

Eli3 · ‎07-22-2020

In response to my inquiry, Duo informed me yesterday:

the Remember Me option for WinLogon is on the roadmap, due to be released in Q4 2020